Daily Archives: March 12, 2019

SAN FRANCISCO — Nation-state threats are becoming so prevalent that incident response vendors are finding signs of actors from multiple countries lurking in the same victim’s network.

Three of the industry’s largest incident response vendors — IBM X-Force, FireEye and CrowdStrike — shared troubling developments about nation-state threats during a panel discussion at RSA Conference 2019 here this week. Wendi Whitmore, global lead of IBM X-Force Incident Response and Intelligence Services, said there’s been a convergence with nation-state advanced persistent threat (APT) groups, both with the tools they use and the targets they select.

“It’s pretty common these days to go through an organization and we’ll see three to four nation-state actors in the same organization, many of them with the different objectives, but [operating] in the same location and targeting similar types of data,” she said.

Thomas Etheridge, vice president of services at CrowdStrike, based in Sunnyvale, Calif., said his company has also seen a convergence with nation-state threat groups within specific industry verticals. He also noted an increase in ransomware attacks in the last six months, which was an example of the “big game hunting” trend of APTs targeting specific organizations that were likely to pay hefty ransoms.

“They’re really looking to focus on monetizing aggressively across the industry verticals they know will have the pocketbooks to pay,” Etheridge said.

Nation-state threat groups adopt new tools, techniques and procedures, and change their approaches, said Stuart McKenzie, vice president of Mandiant Consulting, EMEA, at FireEye, based in Milpitas, Calif.

“We’re beginning to have to think about how we spot nation-state actors doing different things,” he said. “And we have to think more about what they could do [instead of what they’ve done in the past].”

Increasing sophistication

IBM X-Force saw a “rise in sophistication” last year with Iranian nation-state hackers, according to Whitmore. “They’ve come a tremendously long way from website defacements over the past decade into the actual theft of intellectual property and highly targeted thefts.”

McKenzie agreed and cited the Iranian domain name system hijacking campaign as an example of the sophistication. That campaign, which McKenzie called “quite cunning,” involves several stages and techniques, as well as a high level of coordination and planning.

North Korean APTs have also risen in prominence and sophistication, and they have used those skills to, for example, attack financial institutions for monetary gains, Whitmore said.

Etheridge also said North Korea’s capabilities have increased, and he cited data from CrowdStrike’s 2019 Global Threat Report as evidence of that trend. The report measured breakout time, which is the window of time from when an adversary first compromises a device to when they begin moving laterally through an environment. CrowdStrike reported Russian adversaries had the shortest breakout time, with just under 20 minutes, while the average breakout time was four hours and 37 minutes. North Korean actors were second, with approximately two hours.

“That was surprising to us, because we thought it would be China [in second place],” he said. “Their investment over the last 10 years in advancing their capabilities on the cyber front really is starting to pay dividends for them, especially when it comes to monetization.”

They’ve come a tremendously long way from website defacements over the past decade into the actual theft of intellectual property and highly targeted thefts.Wendi Whitmoreglobal lead of IBM X-Force Incident Response and Intelligence Services

McKenzie said another indicator of nation-state cyberattack capabilities is dwell time, or the amount of time a threat actor has remained on a network after first compromising it. FireEye’s Mandiant M-Trends 2019 report showed the average dwell time in incidents it observed last year was 50.5 days, which was a decrease from the average of 57.5 days in 2017.

While the overall dwell-time drop was good news, McKenzie said attacks in the EMEA region have seen dwell times increase over the last year. But, as the M-Trends 2019 report showed, some nation-state threats are getting better at hiding inside victims’ networks for longer periods of time. That not only puts more data and critical assets at risk, he said, but it also makes incident response and investigations more expensive and difficult to conduct.

“The longer it goes, the harder it becomes,” McKenzie said. “And if it goes on for a significant amount of time, then you begin to no longer trust your infrastructure, because you don’t know what the attackers have done.”

Security information sharing must improve

The RSA Conference panelists said improvements in sharing security information could help cut down breakout times and dwell times. Etheridge said information sharing does occur between competing vendors, but he also said it could be improved.

McKenzie agreed, but said one of the challenges FireEye faced was reluctance from customers to share any security information, even indicators of compromise, from an incident they experienced.

“We want to share. We want to help more people,” he said. “But [customers] say, ‘Even if the data tangentially ties to us, we don’t want anyone to discuss it.'”

Jason Brvenik, CTO of NSS Labs, a technology testing firm in Austin, Texas, that provides cybersecurity guidance, said many security vendors do indeed share information, whether informally or through channels such VirusTotal or other public resources and exchanges. However, there are limits that are often imposed by the vendors, because identifying new threats is a competitive advantage, and sharing the information about the threats can negate it.

“It’s all about the amount of time to go play with [new samples] and inject new things to test scenario,” Brvenik said. “The vendors know that dynamic is there, so they’ll hold back letting that information go out long enough for them to have that advantage.”

______________________________________________________This message is automatically inserted in all classifieds forum threads.By replying to this thread you agree to abide by the trading rules detailed here.Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

Landline telephone number. Make a call to check out the area code and number are correct, too

Name and address including postcode

Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

After 10 years, support for Windows 7 is coming to an end on January 14, 2020, with Office 2010 following shortly thereafter. We are here to help you with recommendations for what to do next and answer questions that you may have about end of support.
End of support means that your Windows 7 or Office 2010 software will no longer receive updates, including security updates. But, there’s good news – Windows 10 is the most secure Windows ever and Office 365 delivers the latest in personal productivity. Together they make a perfect pair to help you do everything you were doing before – safer, faster and easier.
To help our customers get advanced notice of this change, we are reaching out with information and resources. Beginning next month, if you are a Windows 7 customer, you can expect to see a notification appear on your Windows 7 PC. This is a courtesy reminder that you can expect to see a handful of times in 2019. By starting the reminders now, our hope is that you have time to plan and prepare for this transition. These notifications are designed to help provide information only and if you would prefer not to receive them again, you’ll be able to select an option for “do not notify me again,” and we will not send you any further reminders. Just as software has changed over the years, so has hardware. To learn more about the latest line-up of modern PCs and information for moving from Windows 7 to Windows 10, just click on the “learn more” button on the notification.
If you want to get started today, you can visit www.microsoft.com/windows7 to find out more. The transition to Windows 10 and Office 365 has never been simpler and this site is designed to help you along that journey. The content available will help you with data transfer to easily get your photos and documents onto a new PC. It will also show you tips for choosing a new device and getting up to speed quickly with the familiar but newer versions of Windows and Office. Once you have started with a new device, online support is always a single click away – whenever you’re ready, we’re here to help. You can also visit a physical Microsoft Store for help with any technology issue no matter where you purchased the device.
For commercial customers, you’ve been on this journey for a while now. Check out this blog post from January or go here to learn more about the shift to a modern desktop with Microsoft 365 – including Windows 10 and Office 365 – for your business.
Thank you to all of you who have loved Windows 7 and Office 2010 and for letting us serve you and be part of your lives. We’re grateful for your loyalty and we’re here to help you through this transition.
Thanks,Matt

Exchange Online has been around for about 10 years, and the hosted email platform has been a main driving factor to get a business to migrate to Office 365. But, despite steady development over those years, there are still some hang-ups you need to be aware of.

There’s a long list of reasons to consider a migration to Exchange Online. The lure of not having to manage the underlying infrastructure and storage requirements of Exchange Server is an easy sell for many in IT. Most people who manage Exchange Server do not enjoy the chores associated with regular patching and database host juggling. But there are some drawbacks.

Even a well-managed project cannot smooth out every migration bump. What follows is a small sampling of some of the difficulties I’ve encountered when switching from on-premises Exchange to an Exchange Online hybrid arrangement.

Mailbox permissions for groups might require adjustments

I manage shared mailboxes by creating an Active Directory (AD) group, adding members to that group and giving that group access to the mailbox. You lose the ability to automatically map secondary mailboxes in Outlook, but you get better visibility on who has access to what. It’s also easier to add a department group inside this group, if the entire department needs mailbox access.

However, the group will stop working when you migrate that shared mailbox to Exchange Online, unless you make the following configurations:

The group is synced to Azure AD. (If you sync your entire AD, which is what Microsoft recommends, then you’re fine).

The group needs to be a mail-enabled security group.

The group is a universal group, not the default global scope.

Without this arrangement, the shared mailbox won’t work properly. Even if you use PowerShell to force a non-mail-enabled security group to have access to a shared mailbox, Exchange Online still cannot recognize group members to give them access.

Coping with distribution list management

There’s a long list of reasons to consider a migration to Exchange Online. The lure of not having to manage the underlying infrastructure and storage requirements of Exchange Server is an easy sell for many in IT.

On-premises Exchange Server enables administrators to appoint users to manage distribution lists, giving them the ability to add or remove members via the Outlook address book. It’s a great way to hand off the responsibility of list maintenance to the users.

However, Microsoft does not support this in Exchange Online. You can give users limited access to one of the Exchange utilities for group management, but this isn’t ideal. You could explore a third-party product to let a user manage groups directly in AD with a utility or web interface, but that’s not as simple as the address book method.

The best way around this is to migrate groups to Office 365 Groups instead. Microsoft designed the Office 365 Groups feature for user management and gave it a huge amount of extra functionality compared to a standard distribution list. But this switch is a significant change and might not be an option for your organization. If that’s the case, then it might take some work to find an easier way for users to manage group members, or this task may fall on the help desk.

Better performance comes at a cost for secondary mailboxes

Unless you make some configuration changes, mailbox performance is slower when you switch from on-premises Exchange to Exchange Online. Microsoft recommends switching from online mode to cached mode for the best experience. This also carries over to secondary mailboxes, but this change will cause some issues if you need to view old email.

In online mode, you can see all email, but it is slower to navigate and overall general use for the end user suffers. Depending on your connection and how many hops you are away from your mailbox, this performance can vary drastically, which is why Microsoft endorses cached mode.

However, cached mode comes with its own caveat: The setting for your primary mailbox’s offline mail also applies to all secondary mailboxes. Any email older than your offline setting on a secondary mailbox isn’t visible in Outlook. There’s no “Click here to view more on Microsoft Exchange” link when the email stops, which can make certain situations frustrating for an end user. There is no smooth workflow for a workaround for this issue.

You have an amazing idea. You’ve taken the core concepts of your idea and turned them into a prototype, a Minimum Viable Product (MVP). The prototype is the first pass. It’s not pretty, nor complete, and often not tested. Frank Robinson said when he coined the MVP term:

… think big for the long term but small for the short term. Think big enough that the first product is a sound launching pad for it and its next generation and the road map that follows, but not so small that you leave room for a competitor to get the jump on you.

Once you have your prototype and you know that it’s viable, how do you turn it into a fully-fledged product and how do you get there? Enter the product road map.

This post is an introduction to product road maps and presents a high-level structure for road maps and a process for how to build them. We assume you’re using an Agile (or Agile-ish) methodology, but we’re not strongly opinionated about what sort of Agile you embrace. This isn’t a definitive guide to product road maps but a starting point from which to get started, experiment, and learn what works for you.

Note:This is just one take on how to structure your product road map. There are a lot of views and opinions about the right approach to product road maps. We suggest you read and experiment with a few to find one that works for you.

What is a product road map

A product road map is a plan for your product. It’s a strategic document that helps you plan for your product, its growth, and keeps your team on track in executing on that growth. It is what allows your Product organization, and your Product Managers, to know and report where you are, where you’re going, and what the steps are along the path.

A good road map is the “north star” for your product. It connects the long-term vision your organization has for the product with the operational and customer reality on the ground. From your road map, your Product and Engineering teams derive the list of work that they’ll undertake and populate backlogs.

A living document

A road map is a living document. Its development is iterative and organic. It changes as priorities and focusses change, as the product grows, you learn what product market fit looks like, and you learn from your customers. A real product road map is never finished.

How often you update your road map usually depends on how mature your organization is, early-stage startups probably have road maps that range out 3 to 6 months and are updated monthly. A larger or more mature organization might plan quarterly with some, less stable, future plans laid out for coming quarters.

Note: Backlogs, the collections of stories, bugs, ideas, and cocktail napkins of genius, are not road maps. A backlog is a pile of work: imagine the pile of clothes dumped on the bed before Marie Kondo organizes them. You might draw items from your backlog for the road map, but they’ll need to go through a process of analysis and prioritization before being added.

A collaborative, iterative, and data-driven document

A great product road map is a collaboration between many partners across your organization. Owned and collated by your Product team, it draws on inputs from internal groups like Engineering, Support, Marketing, and Sales. It is also driven by external data collected from your product, your customers, your competitors, your investors, and the market.

A good Product Manager is constantly gathering this data, validating, and feeding into the road map, and seeing how, or if, it impacts plans. The Product Manager is also feeding in the outcomes of the ongoing work you’re doing, whether the features you have build had an impact on metrics like user adoption, customer satisfaction, or whatever else drives your business.

The outcomes from our road map then become part of the inputs, together with the continuous data gathered from the other sources, and combines to form an iterative, cyclical, document.

A road map isn’t easy

A product road map is hard to make. It’s a balancing act of finding the right features to build, evaluating customer asks versus product goals (like avoiding being captured in the orbit of a single large customer!) and then applying the engineering and design resources you have available to you.

Let’s look at the high-level components that make up a road map.

Why, always start with why

The product road map is the strategic guide to building your product. Every road map should open with the mission:

Why are you making this product?

What problem are you solving?

Who are you building it for?

If you can’t answer these questions or haven’t yet done so, then you need to rethink building a road map or developing the product in the first place!

The art of defining a mission is beyond the scope of this post but remember that everyone in your Product, Design, and Engineering teams should be able to give the product’s “elevator pitch” and understand and absorb the answers to these three questions. They provide those teams with a reference point to validate the work they are doing is the right work and that it is adding value to the product. Both key drivers for engineer happiness. If you can’t connect work to the mission (or engineering tooling that accelerates your development) in some way, then it’s probably a good indication that it is work you should not be doing.

Know your audience

In addition to knowing who you are building your product for, you should know who you are making your road map for. Every audience of a road map will have different expectations: what investors, your executive team, or your customers want to see is different from the needs of your product and engineering teams. Since your road map can’t be all things to all people, you’ll need to consider different formats or documents for these different audiences.

You will want to produce a high-level presentation with quarterly milestones for investors and executives. They are interested in your high-level goals and the total time and cost of development work. Customers (and Sales and Marketing) want to see what features you’re adding that will give customers more capabilities or make the product easier to use. Your product engineering teams are looking for lower-level tactical information, sprint and story-level, that will tell them what to work on right now.

This revelation often prompts a debate about the single source of truth for your road map. If suddenly you have data in multiple places, then you need to update them all when something changes. This is where an off-the-shelf road map tool starts to come in handy. There is a wide selection of potential tools ranging from add-ons or extensions to common ticketing frameworks like Jira, GTD planning tools like Trello and Asana, or specifically product-centric road map tools like Clubhouse. These tools allow you to have a single source of truth and output the data in a variety of forms, suitable for varying audiences. If you don’t already have a tool, then we recommend you try a few to find one that suits your team. And, don’t forget to consider some growth: will it still work for your team in 6-12-18 months?

Prioritization

As we mentioned earlier, one of the critical differences between a backlog and a product road map is prioritization. You’re never going to have the resources to work on every aspect of your product at once, so you need to prioritize the work. There are numerous approaches to prioritization, too many to cover in this post.

What we’ve discovered in working with teams though, is that nothing deflates morale more than a seemingly arbitrary process of prioritization, this doesn’t foster good team relations and productivity. So pick an approach, establish and agree to it with your team, and be transparent about the process, especially any exceptions you make to the process like “the CEO says we should build…”!

Build from the top down

Now that you’ve added our mission to your road map let’s continue to work top down; from the least granular component to the most granular.

Mission: your reason for building the product, we’ve discussed this above.

Themes: high-level components of the product, for example, “Acquire new customers.”

Milestones: groups of epics, time-boxed, for example, three months worth of work.

Epics: collections of user stories that often represent a feature, for example, Authentication.

User Stories: user-centric stories that describe a requirement. Usually collected in an epic.

We always recommend this approach because the top-level components are closer to the mission and should be a logical progression of detail, easily rolled up and tied to that mission. The alternative, starting from the base and writing up a series of user stories, leaves a lot of space between your mission and its practical application. We find if you start with that base you end up twisting the top-level components into the shape of the user stories and not vice-versa.

So we start with breaking our product into themes.

Themes

Themes are the present articulation of some aspect of the overall mission. You break down the journey to mission success into the current themes you need to focus on to continue that journey. A theme might be: “Acquire more customers!”, “Reduce customer churn” or “Increase stability of notifications.” They could also reflect internal priorities: “Streamline deployment!” or “Reduce test suite run time.”

Themes provide the glue between the mission and the tactical work to be done to execute on the mission.

A good theme can be clearly traced back to the mission but also has direct and immediate outcomes and measures. Themes should be tied to measures and metrics that demonstrate the impact of the theme, for example, if the theme is to acquire new customers, then the measure might be a customer acquisition target.

Themes are also an excellent way to communicate progress to stakeholders:

This quarter we’re going to focus on reducing customer churn by 20% by working on the look and feel of the UI, adding a recommendation engine, and the reporting capabilities of the product.

A theme, or a variant of a theme, will likely be repeated throughout a product’s lifespan, so it’s important to be as explicit as possible about the theme and what it achieves in this particular incarnation. This also ensures you keep your theme focussed and you make it achievable.

Next, let’s think about milestones for our road map.

Milestones

A milestone is a collection of themes, epics, and stories. It might be a version of your product, for example, version 1.0 or it might be a month, three months, or another period. We strongly recommend time-boxing milestones, either explicitly by adding a target date or using a time-based interval like months or weeks.

Each milestone usually has a few themes associated with it. A milestone also allows you to report what you’re going to achieve to address that milestone and will enable you to measure progress towards that goal. This is likely the component that your leadership team or customer will be most interested in your reports on. So you need to be realistic about what you can achieve in a milestone.

This quarter we plan to focus on two themes: “Acquire more customers!” and “Reduce customer churn.”

Note: You’ll hopefully have some form of estimates in your stories, that rolls up into your epic. You’ll see more about that later in the post. You know the resources available to you and should be able to solve for what’s possible in a milestone using this data. Again, having a tool that handles milestones and estimates automatically is very useful.

Startups tend to be fast-moving, priorities and resourcing and requirements change quickly, so most people don’t plan milestones beyond short and medium periods, for example, 1-6 months. Anything beyond that starts to become more like guesswork than planning. We suggest planning 2 milestones, say month 1 and month 2, so you know what you’re doing now and broadly what you plan to do next.

Epics

Contained inside of your themes are epics. Epics are collections of stories, generally aligned with a feature of some kind. Earlier in the post, we talked about a theme of “reducing customer churn” and how it included working on look and feel, a recommendation engine, and the reporting interface. Each of these can be broadly considered features. So our recommendation engine feature would be described as an epic. To build that engine you might have an epic called “Recommendation Engine,” perhaps containing user stories for:

The back end engine.

A data pipeline.

The recommendation algorithm.

The recommendations interface.

Each epic should have a description and measures of success. For our recommendation engine, this might be:

An engine that returns product recommendations based on customer’s prior purchases. The recommendation engine must return the customer a minimum of 3 recommendations within 1ms.

Like themes and milestones, epics are about achievable and measurable goals. You might be thinking “we’re measuring a lot of elements in our road map,” but this is key to having a realistic road map. At every level of the road map, you can determine progress towards objectives, what success looks like, have a clear measure of it, and adjust the objectives and measures if circumstances change. This allows you to understand where the product is in terms of completion and success and is critical to managing your product’s delivery.

Note: Themes are often applied to epics and stories as tags. This is also a bonus of a product management tool, they allow you to define collections of elements that make reporting and tracking easier.

Inside our epics are user stories, the basic unit of work for most product engineering, let’s look at them now.

User stories

User stories are the base artifacts for Agile planning. A user story is a high-level definition of a requirement. It should contain enough information that the requirement is understood and a reasonable estimate of the effort required to build it can be made.

User stories are written throughout the development life cycle, but the core of them are usually written when you create an epic. Typically, the whole team involved, and often stakeholders from the business or even customers, and the stories are written in a workshop-like forum. Further stories will evolve as the epic proceeds, to address new requirements or to split existing stories that have become too complex. Some stories will even evolve into epics in their own right if they turn out to be very complex or emerge as functionality worth extending.

A good user story contains a summary of the requirement, no more than one or two sentences, a series of stories about the requirement, a test of the story’s success, and a rough estimate. Those stories typically follow a format something like:

As a < type of user >, I want < some goal > so that < some reason >.

They tell the story of what the user wants, expects, and needs from the requirement. Let’s look at an example story for our recommendation engine.

Build a content-based recommendation algorithm.

As a customer, I want to see recommendations based on my prior purchases so I can find the best items to buy.

etc…

Test: The algorithm returns three content-based recommendations for a customer’s user ID.

This is a very formal user story, a lot of organizations often use more lightweight and informal representations. If a story feels like it has too much detail, then the traditional approach is to split the story into smaller stories.

Note: Themes are often applied to epics and stories as tags. This is also a bonus of a product management tool, they allow you to define collections of elements that make reporting and tracking easier.

Go build

These are the building blocks (or at least one approach anyway!) of a successful and useful product road map. We want to leave you with some parting points that have served us well in working on road maps and with Product teams.

Find a good tool that works for you to manage your road map. The less labor you spend on administering your road map, the more time you can spend on managing your product.

Be transparent and honest with your team and leadership about the road map process, prioritization, and progress. Nothing breaks team morale and the faith of leadership in a startup faster than a breach of trust here.

Be inclusive of everyone in your road map process, both by seeking folks out as inputs and by sharing the status and outputs widely with the company. Your all hands or all company communications should always include product updates.

Good luck and we hope this will prove useful to you. Go build some awesome products!

Avaya released three new video conferencing devices, among them a collaboration unit that businesses can rent for a monthly fee. The pricing strategy could help the vendor battle more established video hardware makers, such as Logitech and Polycom.

The Avaya IX Collaboration Unit is an all-in-one device, with a camera, microphone and video codec, designed for use in small conference rooms, or huddle rooms. The product can be used with the Avaya video conferencing app, Equinox, or with any other Android-based video software.

Avaya also released two USB cameras for huddle rooms: the HC020 and the HC050. Those products work with a laptop running the Equinox client or Avaya’s Scopia XT room systems. Unlike the IX Collaboration Unit, the USB cameras require a connection to a computer to process video.

The announcement this week was one of the most significant expansions of the Avaya video portfolio since the company’s 2012 acquisition of video hardware vendor Radvision. Over the past several years, Avaya has continued selling Radvision’s room systems under the XT brand and worked to integrate the company’s technology into Equinox.

Avaya has now set its sights on the booming huddle room market, which is being targeted with USB conference cameras and cheap room systems from vendors, including Logitech, Polycom and Cisco.

“This will be a tough sell for them, given the already crowded market,” said Irwin Lazar, analyst at Nemertes Research in Mokena, Ill.

The Avaya IX Collaboration Unit (pictured atop the monitor) is designed for huddle rooms. It works with the Avaya Equinox client, as well as Android-based UC software from other vendors.

Subscription pricing for Avaya video products

Piggybacking on the growing interest in subscription-based pricing for cloud software, Avaya will apply that same pricing model to the IX Collaboration Unit.

Rather than paying $899 to buy the IX Collaboration devices, businesses will have the option of renting them for between $19 and $24 per month, depending on the length of the contract.

Avaya will also bundle the cost of subscriptions to Equinox, so businesses can obtain both the hardware and software for under $45 per month. However, under the new pricing model, dubbed Huddle as a Service, businesses will need to return the devices to Avaya at the end of the contract term.

“Avaya Huddle as a Service appears to be a differentiated offer in the intensifying huddle room technology segment,” said Rob Arnold, analyst at Frost & Sullivan.

For now, the subscription plan is available only for the IX Collaboration Unit, not the USB cameras or any XT room system. However, the company said more devices may be added to the subscription plan in the future. Avaya said in December that it would let businesses rent desk phones.

______________________________________________________This message is automatically inserted in all classifieds forum threads.By replying to this thread you agree to abide by the trading rules detailed here.Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

Landline telephone number. Make a call to check out the area code and number are correct, too

Name and address including postcode

Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.